Jump to content

Sophisticated PDF exploit


Farelf
 Share

Recommended Posts

Link provided in GRC newgroups by paradoX and Al:

http://www.dshield.org/diary.html?storyid=7867

...Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included java scri_pt in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).

After extracting the included java scri_pt code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long! Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics. ...

Lessons learned

Not only was this a very interesting example of a malicious PDF document carrying a sophisticated "war head", but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims. ...

Which should be enough to make one check that their PDF reader has java scri_pt disabled. Adobe Reader 9 Edit-Preferences-java scri_pt (uncheck top box). Not sure about browser 'helper' applications. Note these may be targeted attacks with very plausible cover stories and AV detection rates may be low/very low (I see Symantec have removed themselves from the VirusTotal battery again - lor' bless 'em).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...